Password policy

Owned by Silvan Grüter
Last updated: 07. Aug 2024 by RoFa
3 min read

Introduction

Different password policies can be defined for each target system. The policy always consists of a combination of a regex pattern array and a validation text, which in turn is defined as a name key. The name key in turn allows the text to be translated into multiple languages.

Properties

Whenever you are creating of updating a catalog, you have to specify the following properties:

Property

Data Type

Mandatory

Example

Description

Property

Data Type

Mandatory

Example

Description

Name

String

Default Password Policy

The name of the password policy

Change at first logon

Bool

true

Whether or not the user must change his password upon the first logon

This option overrides the setting that can be set on the Active Directory target system

This option can be overwritten in the Active Directory identity provisioning configuration

Password expiration rule

DropDown

 

 

An optional password expiration rule

Enforce password policy on logon

Bool

 

true

Whether or not the users password should be checked against the current password policy upon logon. If the password does not meet the criteria of the password policy, the user is forced to change his password.

Check against password blacklist

Bool

true

Whether or not the password should be checked against a blacklist. For details, see the black list section further down the documentation.

Check against current password

Bool

true

Whether or not the password should be checked against the current password upon a password change. This check is performed in the target system itself and will therefore affect the execution times of a password change.

Available from version 8.1.10.

Force change when password on the black-list

Bool

true

If enabled, the user will be asked to change his password if it’s on the black list. If disabled, the user will be presented with a warning instead.

This setting needs to have the Check against password blacklist property to be enabled, otherwise it wil be ignored

How many previous passwords to check

Unsigned Integer

1

The amount of password hashes that are kept in the system to check the new password against. If set to 0, none will be kept.

Regex-Pattern-Array

The regex pattern array is a list of several regex patterns. This list must be entered in the JSON syntax.

Example multiple conditions:

[ ".{8,32}", "[A-Z]", "[a-z]", "[0-9]" ]

Beispiel einfache Bedingung:

[ ".{8,32}" ]

Validation text

For each regex pattern array a validation text can be defined, which is displayed to the user if one of the patterns does not apply.

Default-Guideline

If no password policy is assigned to a target system, the default policy applies, which has the following conditions defined:

  • At least one capital letter

  • At least one lowercase letter

  • Length between 8 and 32 characters

Regex

Name-Key

Text

Regex

Name-Key

Text

[ "[A-Z]" ]

Global.Validation.Password.Uppercase

Please enter at least one capital letter

[ "[a-z]" ]

Global.Validation.Password.Lowercase

Please enter at least one lowercase letter

[ "[0-9]" ]

Global.Validation.Password.Number

Please enter at least one number

[ "[^A-Za-z0-9]" ]

Global.Validation.Password.specialcharacter

Please enter at least one special character

[ ".{8,32}" ]

Global.Validation.Password.8To32Characters

Please enter between 8 and 32 letters

[ ".{10}" ]

Global.Validation.Password.DoesNot10charcacter

Please increase the password length to min. 10 character

Generate Password Workflow Definition Id

This feature was introduced in version 7.2

Whenever a new password for an identity with the the given password policy has to be generated, you can specify a workflow to override the default behavior. The default behavior calculates the new password that matches the default password policy.

If you have configured a more complex password policy or you want tho check the generated password against an external system, against a customized password black list or any other special use case, use your own workflow. The Generate Random String activity is particularly useful in this case.

The workflow that will be triggered does have the default input data and no additional input.

Password Blacklist

A blacklist can be added in the password policy. By default, this is stored on the app server in the directory "C:\ProgramData\itsense\BlackList.txt". Each password change will be checked against that list. An example list could look like this:

InappropriateWord EasyPassword123 1234567890 Password Password!

Check previous passwords

Indicates if a new password has to be changed against old passwords. This only applies to old passwords, the current password is always prohibited. Set this to 0 to disable the feature.

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.